I’m not sure that OpenID is going to solve many problems in itself – it is not necessarily a stronger form of authentication – but here as least is some progress in improving identity management.

AOL is also supporting OpenID, making all its accounts automatically OpenID accounts. I observed out to Edwin Aoki, an AOL Chief Architect who is also here, that using a single identity for multiple sites could make the problem worse, since when it gets compromised multiple sites are then at risk. He said that happens anyway, because users already use the same email address and password on multiple sites. A fair point.

I’m actually hoping to see Microsoft’s CardSpace getting wide adoption in tandem with OpenID, as it appears to be more resistant to phishing attacks.

A snag with the most wonderful WordPress is that comments to a post are not broken down into pages. With over eighty comments and climbing fast, this post on slow Outlook 2007 is getting slow to load. Fitting, I guess, but I’d rather it performed better. I looked in vain for a WordPress option to split the comments into pages. I did find this plugin, but although it works it looks bad with the theme I’m using. I suppose a few hours hacking would fix it. I reckon a paging option should be built into WordPress as it will always be a problem on heavily commented posts.

Today IT Week has my piece on the lack of any business model in Yahoo Pipes, a thought underlined by an unusual press release which popped into my inbox. It is from John Earley of MyWebAlert, a company set up to monitor web site availability. Press releases are not usually so dejected:

Following a series of reports (copies available) that proved website availability is miserable in both the public and private sectors, we had thought folks would pay a paltry sum for monitoring and management services. This has proved not to be the case. Having sunk the investment in the software and architecture, we have abandoned hope of a business plan and are now making the service available free-of-charge.

Intrigued, I took a look at the site. The About page confirms this gravity-defying business endeavour, but looks forward to a bright tomorrow “somehow”:

There is no fancy business model, the Company can exist without revenues. It is managed in the belief that somehow, the momentum that it creates, will bring about a means for expanding the range of services that it offers.

It appears that the strategy is working, at least in terms of expanding the business. That’s presuming that site overload is the reason for what happened when I tried to sign up:

One presumes the outage will be short-lived, bearing in mind the company’s raison d’etre.

Incidentally Web site monitoring is also available from Netcraft and no doubt others. For a fee.

Noted producer Tony Visconti made an interesting, sad comment on the CD Loudness wars over on Steve Hoffman’s forum. Visconti has worked with Thin Lizzy, Morrisey, David Bowie and many other well-known artists.

I asked him for his take on this issue, bearing in mind that two of the three most afflicted Bowie releases were produced by him, according to this fan. Visconti replied:

Without mentioning names, many mastering engineers perpetuate the loudness wars. One once turned to me after I made a request for more dynamics and said, “I have a reputation to uphold, I can’t make it that quiet.” Really, I was just asking for the carefully mixed quiet intro to stay quiet until the rest of the band crashed in.

The first thing I noticed was the absence of any content I wanted to view, whereas YouTube is really dangerous if you want to avoid distraction. That will change if the service is popular; but I’m not clear why someone would use Microsoft’s service instead of YouTube which gets the traffic.

The second thing I noticed is that Microsoft is using Flash for these videos, as does YouTube. I gave it a cross-platform test, and was able to use the site on the Mac with Safari and on Linux with FireFox, so kudos to Microsoft for that. I’m puzzled though, because the system requirements state Windows Media Player 9 as well as Flash 8, and Windows Media Player 9 isn’t available for Linux. Nevertheless, it works.

That said, I’m surprised that Microsoft isn’t using SoapBox to show off WPF/E. I appreciate that this is still in beta, but then so is Soapbox. Does Microsoft not intend to use its cross-platform, video-capable solution for its own site? Or will it transition in future?

Tech journalists have a tough job. They are meant to take the vast complexity of things like computers and operating systems and translate them into terms that ordinary people can understand.

Of course there is never a one-to-one mapping between the complex and the simple. The simplified explanation is a compromise.

So let’s look at the question: how secure is Windows Vista? Unfortunately the question is not amenable to a simple answer. Perhaps the best you can do is to try and explain the issues, the ways in which it is more secure than earlier versions of Windows, the ways in which it remains insecure.

Now read this piece on weaknesses in Vista’s UAC (User Account Control). Looks bad, right? About some insightful researcher who “found out — from Microsoft officials — that the default no-admin setting isn’t even a security mechanism anymore.”

Apparently, “In an e-mail interview, the Polish malware researcher said she was “pissed off” by what she perceived as Russinovich’s flippant attitude to the potential risk.”

Frankly, I defy anyone to read and understand Russinovich’s article and call it “flippant”. He explains how the mechanism works, he explains why it works as it does, acknowledges areas of compromise, and shows how to achieve higher security if you want it:

Without the convenience of elevations most of us would continue to run the way we have on previous versions of Windows: with administrative rights all the time. Protected Mode IE and PsExec’s -l option simply take advantage of ILs to create a sandbox around malware that gets past other security defenses. The elevation and Protected Mode IE sandboxes might have potential avenues of attack , but they’re better than no sandbox at all. If you value security over any convenience you can, of course, leverage the security boundary of separate user accounts by running as standard user all the time and switching to dedicated accounts for unsafe browsing and administrative activities.

He’s right. And personally I think ZDNet is giving too much weight to the strident researcher who calls Vista security “a big joke“, while doing too little to examine the real issues which Russinovich explains.

Of course that doesn’t prevent Slashdot and others picking up the story and presuming, because that’s what they want to believe, that Vista security is shot to bits.

It’s not. It is a real advance on XP, not least because of the point Russinovich highlights:

Why did Windows Vista go to the trouble of introducing elevations and ILs? To get us to a world where everyone runs as standard user by default and all software is written with that assumption.

Update

This story gets more curious the more you investigate. The gist of this researcher’s original complaint was that Vista forced her to run setup and installer applications with local admin rights:

That means that if you downloaded some freeware Tetris game, you will have to run its installer as administrator, giving it not only full access to all your file system and registry, but also allowing e.g. to load kernel drivers!

It’s a fair point, though problematic on examination. Installing applications is an administrative task. Still, it’s correct that many installers do not need full admin rights, so the system could be more granular. Fortunately Vista covers this. You can disable the automatic elevation of setup applications in local security policy. In fact, enterprise rollouts have this disabled by default. The researcher is actually aware of this, but says:

Even though it’s possible to disable heuristics-based installer detection via local policy settings, that doesn’t seem to work for those installer executables which have embedded manifest saying that they should be run as administrator. I see the above limitation as a very severe hole in the design of UAC.

Now she’s lost me. The complaint has shifted – there is no problem running setup applications with less than full admin rights, but if the developer specifies with a manifest that full admin rights are required, then Vista automatically prompts for elevation. This of course is working as designed. If you downloaded a “freeware Tetris game” and discovered a manifest insisting on full admin rights, you would likely be wary in any case.

So where is the “very severe hole in the design of UAC”? There is a “severe hole” here, but it is not in the design of UAC. The core problem is that users may try to install malware. They are browsing the web, and perhaps come across a flashing advertisement that says their PC has spyware, but this utility will fix it. They download it. They pass a dialog warning that the file is from the internet and might not be safe. They pass a dialog requesting elevation. At this point, only anti-virus software or something like Windows Defender might save them. How do you fix this, without taking away the user’s right to do what they want with the computer they own?

That said, there is a weakness in UAC in the potential of non-elevated processes to interfere with elevated processed. Mark Russinovich covers this well in his post referenced above. Bottom line is that it’s still best not to run with full admin rights, even with UAC enabled. The long-term purpose of UAC is to get Windows across the hump of legacy applications to a point where local admin rights for day-to-day use are unnecessary.

Fascinating stuff, but I’m finding it frustrating. I tried to do an illustrated blog using For Each Annotate and the Flickr module. I can’t get it to work. I managed to get some images retrieved, but couldn’t get them to display, and their relevance was marginal, even using the Content Analysis module which is meant to retrieve key words. Noticed that the official example which does the same thing doesn’t seem to work either (at the time of writing), which makes me feel better.

Another problem is that the output always truncates each feed item. Any French readers trying the above link will be disappointed when they click the link, as it reverts to English. Not easy to fix, since Yahoo does not publish a Babel Fish API. I could put a Translate link on the blog page, but that wouldn’t be Yahoo Pipes.

Internet Explorer is the dominant browser, Windows the dominant desktop, yet Microsoft’s share of internet search is apparently declining. Here’s why. I’m researching Yahoo Pipes; I forget the exact url for the Pipes home page so I type the search into the IE7 search box, where Microsoft’s “Live search” is the default.

The page I want is not on the first page of results. The ads are irrelevant. Some of the search results are at least relevant, but they are not what I would call top tier results.Even the O’Reilly link is a page for all articles tagged Yahoo, not one of the actual Pipes articles.

So I switch to Google search. The page I want is top of the search results. The other entries are more relevant. Even the ad is moderately relevant (at least it is about software Pipes not metal tubes).

This is of course anecdotal. It was also a tough test, considering Yahoo Pipes is new. Perhaps there are hundreds of other searches where Live Search gets better results. All I can say is that I rarely discover them, whereas I frequently find Google’s results much better. This just struck me as a good example.

Microsoft will never improve its share of search unless it can deliver at least equally good results.

It does sound like it. If so, there’s no need to be so mysterious. JavaScript a.k.a. ActionScript a.k.a. ECMAScript is growing fast, thanks to AJAX along with Adobe’s work on Flash, Flex and Apollo. See this Register article for more of my comments on this.

New is drifting out concerning CodeGear’s plans to evolve its development tools. Here’s a snippet from Michael Swindell, CodeGear’s VP of products, writing in the Delphi non-technical newsgroup:

Dynamic languages such as PHP and Ruby new areas where we will be going. Some products will be more in the RAD camp, aligned with Delphi and VCL, and others will be more in the Open Source/Eclipse/Enterprise world. As a developer focused company we cannot be just the Object Pascal, C++, Java development company… there is way too much happening in the world of programming and languages and frameworks for us to stand still.

All a bit vague, but I do get the impression of renewed energy at CodeGear now that it is somewhat independent of its parent company, Borland. There are also mutters about Ruby and about another take on Kylix, Delphi for Linux.

Is PHP a good bet? Possibly, insofar as PHP is hugely popular but not particularly well supported by development tools. Personally I’d rather work in ASP.NET or Java; yet I have huge admiration for WordPress, to mention just one PHP-based application. As ever, CodeGear will be up against strong free tools, not least the existing Eclipse PHP Development Tool.

Cast your mind back 12 years, if you have been around that long. Borland’s Delphi 1.0, released in 1995, was worth paying for, in fact a fantastic bargain, because it cracked the problem of combining visual RAD productivity and fast native compiled code. What could have a similar impact today, when Microsoft has Windows development wrapped up, and Java has a surfeit of high quality free tools? I don’t find it easy to see.